When third-party risk gets murky
What can a legal department do to manage bigger risk exposure?
Security for financial firms all too often extends beyond a firm’s borders, and beyond the risk function’s scope. A financial firm’s legal department, in particular, faces thorny challenges when it comes to managing risk across internal and external counsel.
Legal firms have different—and generally less stringent—risk management requirements, so data shared with them can be at risk. Cyber attackers keep law firms in their sites, because data gained in an attack is useful in and of itself, but might also tip investors about possible activities such as upcoming mergers & acquisitions. Reputation is also at risk: If a law firm is breached, word gets out about that firm and about its clients, such as financial firms.
What can a legal department do to manage this bigger risk exposure? Accenture’s report, Third-Party Risk Discipline for Legal Departments, offers ideas.
The path ahead
A comprehensive approach can also yield resource and budgeting insights.
Legal departments of financial firms would be well served to implement disciplined, systematized controls that balance costs and benefits across in-house legal providers, preferred outside providers and non-preferred outside providers. A comprehensive approach that tracks legal work across all providers not only monitors adherence to the risk methodology, but can also yield resource and budgeting insights.
What do the various options look like? Here’s a glimpse:
In house counsel: Likely presents the lowest risk, and should already use in-house systems and procedures. But, can in-house counsel adjust to variable workflow? Does this team have the required depth of knowledge for tricky legal issues?
Preferred outside counsel: By creating a preferred counsel list, a financial firm may find providers willing to undergo risk assessment and onboarding reviews. This approach may also support preferred vendor discounts. And, it could motivate select vendors to build a sustainable level of knowledge about a financial firm’s business, making for a strong partnership.
Specialty outside counsel: Specific expertise around unique issues or tied to certain jurisdictions could lead to hiring “non-preferred” outside counsel. One solution might be to choose vendors willing to submit to short notice vendor risk evaluation. An end-of-project off-boarding process might also be needed.